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DETAILED ACTION 
Continued Examination Under 37 CFR LI 14 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1. 17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. AppUcant's submission filed on 08/23/07 has been entered. 

Claims 1, 6, 23-24, and 26 have been amended. Claims 1-6, 9-17, and 20-26 are pending. 

Response to Amendment 

2. Applicant's amendment claim 26 is sufficient to overcome the claim objections set forth 
in the previous office action. Examiner notes that applicant has marked claim 26 "previously 
presented" instead of "currently amended", showing the change to the numbering. Examiner 
respectfully requests that apphcant mark such changes in the future to avoid a notice of non- 
compliance. 

Allowable Subject Matter 

3. Claim 21 is objected to as being dependent upon a rejected base claim, but would be 
allowable if rewritten in independent form including all of the hmitations of the base claim and 
any intervening claims. 

Claim Rejections - 35 USC §102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 



Application/Control Number; 

10/022,438 

Art Unit: 3623 



Page 3 



A person shall be entitled to a patent unless- %. 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 1-6, 9-17, 20, 22, and 25-26 are rejected under 35 U.S^C. 102(e) as being 
anticipated by Barton et al. (U.S. 2002/0059093). 

As per claim 1, Barton et al. teaches a method for use in compliance management, 
comprising: 

presenting, via a computer network, a user with a series of questions relating to at least 
one business category (See figure 11, paragraphs 0010, 0012-4, 0049, 0051, wherein questions 
are presented via the network concerning compliance risk); 

soliciting, via the computer network, a response from the user for each question presented 
(See paragraphs 0010, 0012-4, 0049, 0051, 0060, wherein the questions are answered); 

determining a detection index based on the number of responses and corresponding 
answers to each of the series of questions (See paragraphs 0013-14, 0060, 0081, and 0084, 
wherein detection is determined based on the responses received (and there answers) to a 
questionnaire. The system tracks when responses are received. The answers corresponding to 
the questions are used to perform calculations); 

determining an occurrence index based on the potential consequence of non-compliance 
(See paragraphs 0007, 0081, and 0084, wherein occurrence index is determined); 
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determining a standard severity risk index based on the expected severity of non- 
compliance (See paragraphs 0068, 0072-3, 0075, 0081, 0084, wherein severity indexes are 
considered); and 

prioritizing, via the computer network, the at least one business category based on the 
user's responses and at least one total risk score comprising the product of the detection, 
occurrence, and standard severity risk indices (See paragraphs 0081, 0084-7, wherein a risk score 
is calculated based on these factors. See also paragraphs 0068-9, 0072, 0081, 0090-1, where risk 
prioritization numbers are generated to determine the order to handle the risk areas of the 
business). 

As per claim 2, Barton et al. discloses wherein the user response comprises a "Yes" or 
"No" (See paragraphs 0060 and 0064, wherein the questions are answered yes/no). 

As per claim 3, Barton et al. discloses wherein the at least one standard severity risk 
index comprises a number between 1 and 10 corresponding to a specific level of risk (See 
paragraph 0060, 0068, 0072-5, wherein severity is valued 1-10). 

As per claim 4, Barton et al. discloses wherein the number "T' comprises the lowest level 
of risk severity, and the number "10" the highest level of severity (See paragraph 0060, 0068, 
0072-5, wherein 1 is low and 10 is high severity). 

As per claim 5, Barton et al. teaches wherein the at least one standard severity risk index 
corresponds to the at least one business category (See paragraph 0040, 0060, 0068, 0072-5, . 
which corresponds to at least one business category. See also figure 1 1). 

As per claim 6, Barton et al. discloses the step of determining a detection index based on 
the user's responses, and the number of users (See paragraphs 0065 and 0084, wherein the 
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detection index is determined based on the responses from the at least one user). Barton et al. 
also generates a score based on the number of questions presented (i.e. "opps") (See paragraphs 
0065 and 0084, where the number of questions presented (ie opportunities) are used to determine 
a score). 

As per claim 9, Barton et al. teaches ranking the at least one business category based on 
the at least one total risk score (See paragraphs 0081, 0084-7, wherein a risk score is calculated. 
See also paragraphs 0068-9, 0072-5, 0081, 0090«1, where risk is prioritized). 

As per claim 10, Barton et al. teaches a system for use in compliance management, 
comprising: 

a query module associated with an engine for presenting at least one user with a series of 
questions relating to at least one business category, and for soliciting and receiving responses 
from the at least one user for each question presented (See figure 1 1, paragraphs 0010, 0012-4, 
0049, 0051, 0060, wherein questions are presented via the network concerning compliance risk 
and answers are received);; 

a prioritization module associated with the engine for: (1) determining a detection index 
based on the number of responses to each of the series of questions, determining an occurrence 
index based on the potential consequence of non-compliance, and determining a standard 
severity risk index based on the expected severity of non-compliances (See paragraphs 0068, 
0072-3, 0075, 0081, 0084, wherein a detection, occurrence, and severity index are determined) 
and (2) prioritizing the at least one business category based on the at least one user's responses 
and at least one total risk score comprising the product of a detection, occurrence and standard 
severity risk indices (See paragraphs 0081, 0084-7, wherein a risk score is calculated based on 
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these factors. See also paragraphs 0068-9, 0072, 0081, 0090-1, where risk prioritization numbers 
are generated to determine the order to handle the risk areas of the business). 

As per claim 1 1, Barton et al. teaches wherein the series of questions are presented to the 
user over a communications network (See figure 1 1, paragraphs 0010, 0012-4, 0049, 0051, 0060, 
wherein questions are presented via the network). 

As per claim 12, Barton et al. teaches wherein an administration module associated with 
the engine for inputting, updating and accessing data associated with the query and prioritization 
modules, the administration module being accessible to an administrator of the system via an 
administration interface (See paragraphs 0012-3, 0048-51, 0060, 0064, wherein an administrator 
and interface is disclosed). 

Claims 13-17 and 20 recite equivalent limitations to claims 2-6 and 9, respectively, and 
are therefore rejected using the same art and rationale as applied above. 

As per claim 22, Barton et al. teaches wherein the occurrence index weighs the total risk 
score based on the potential consequences of non-compliance (See paragraphs 0081, 0084-7, 
wherein a risk score is calculated based on these factors, and wherein occurrence influences and 
affects the overall score. See also paragraphs 0072 and 0075). 

As per claim 25, claim 25 is rejected using the same art and rationale set forth above with 
respect to claim 21. Barton et al. further discloses assessing a potential consequence of non- 
compliance, the potential consequence of non-compliance relating to parameters and the values 
of such parameters (See figure 16 and paragraphs 7, 38, 42, 44, 55, that disclose potential 
consequences (failure effects) of failures of non-compliance); 
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determining an occurrence index based on the potential consequence of non-compliance that was 
assessed, such that the occurrence index changes as the parameters associated with the potential 
consequence of non-compliance change, the occurrence index that is determined being one of at 
least three possible occurrence indices, the at least three possible occurrence indices being 
provided as possible occurrence indices (See figure 16 and paragraphs 81 and 84, which disclose 
an occurrence index that results from the identified potential failures and the failure's effects. 
The occurrence index can be chosen from a set of 1-10). 

As per claim 26, Barton et al. teaches wherein the detection index by a relationship 
between the number of queries or questions that were answered with a particular response, the 
total number of queries or questions in the category, and the number of departments or units 
responding (See paragraphs 0010, 0012-4, 0049, 0051, 0060, wherein the questions are 
answered. Paragraphs 56-9, 62, 72, and 90, specifically discuss the gathering of information 
from interviews and questionnaires into the knowledge base of the system. This knowledge base 
is relied upon to determine the detection index. See specifically paragraphs 0081 and 0084, 
wherein detection is determined using the knowledge base). 

Claim Rejections - 35 USC §103 
6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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7. Claims 23-24 are rejected under 35 U.S.C. 103(a) as being unpatentable over Barton et al. 
(U.S. 2002/0059093). 

As per claims 23 and 24, Barton et al. teaches the potential consequence of non- 
compliance (See paragraphs 0081 and 0084-6). However, Barton et al. does not expressly 
disclose that the potential consequence of non-compliance is based on the total number of agents 
or employees affected by non-compliance or the total number of policies in force. 

Barton et al. discloses that the potential consequence of non-compUance, which is 
considered in the system when determining an occurrence index. It is old and well known in the 
art that employees and the number of policies are factors that cause occurrences of non- 
compliance, such as a regulation being violated by a policy or an employee not following a rule. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to consider employees affected by non-compliance and the total number of policies in 
force in the occurrence index when considering the potential consequence of non-compliance in 
Barton et al. in order to more efficiently determine the potential for failure concerning the 
business by taking into account the areas in which non-compliance events may occur. See 
paragraphs 0065 and 0084. 

Response to Arguments 

8. Applicant's arguments with regards to Barton et al. (U.S. 2002/0059093) have been fully 
considered, but they are not persuasive. In the remarks, Applicant argues that (1) Barton et al. 
does not teach or suggest "determining an occurrence index based on the potential consequence 
of noncompliance" and that the occurrence factor of Barton is concerned with whether a non- 
compliance is likely to occur (i.e. likelihood) instead of the potential consequence, (2) Barton et 
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al. does not teach or suggest a detection index based on a number of responses to each of the 
series of questions, (3) Apphcant traverses the assertion of official notice with respect to claims 
23-24, and that "It is old and well known in the art that employees and the number of policies are 
factors that cause occurrences of non-compliance, such as a regulation being violated by a policy 
or an employee not following a rule", and (4) Barton et al. does not disclose using an occurrence 
index based on the potential consequences of non-compliance based on the total number of 
agents or employees affected by non-compliance or based on the total number of policies in 
force. 

In response to argument (1), Examiner respectfully disagrees. The claim recites, 
"determining an occurrence index based on the potential consequence of noncompliance", and 
thus the claim does not recite a specific manner in which the index is determined, but merely that 
it is based (i.e. being founded or established) on the potential consequences (or potential effect, 
result, or outcome) of noncompliance, therefore, the recitation of "potential consequences of 
noncompliance" requires that the determined index considers the fact that consequences of non- 
compliance occur. Examiner further points out that in the broadest reasonable interpretation of 
the claim, the term "determining" would mean deciding on, discovering, or finding out. The 
claim does not require the use of a specific algorithm or method within the scope of the claim 
language. Thus, the language "determining an occurrence index" merely requires setting a value 
in the system that reflects the value of the index based on received answers to questions. 

Barton et al, teaches "determining an occurrence index based on the potential 
consequence of noncompliance" as shown in at least paragraphs 81 and 84. Barton et al. 
identifies potential failure modes and root causes of these failures in order to quantify 
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compliance issues, assess potential risks, and mitigate and control risks. The term failure, within 
the context of Barton et al., is compliance failure and includes the causes and effects of failure. 
Thus, the possibility of failure is a potential consequence of noncompliance. See at least 
paragraphs 7, 38, and 42. An FMEA matrix is constructed that includes a likelihood of 
occurrence factor. Using the rating system, numbers are calculated using an occurrence factor to 
rank risks of noncompliance and recommend actions to reduce the risks. All of these 
calculations are based on the fact that failures occur. Therefore, the Occurrence Index is the 
value created using the rating system, which is based on the possibility of failure as a potential 
consequence of noncompliance. 

In response to argument (2), Examiner respectfully disagrees. Barton et al. discloses that 
a user responds to a questionnaire/interview. After these responses are received, the FMEA 
matrix is utilized to determine severity, occurrence, and detection. The detection factor 
represents whether or not potential fmlures will be detected based on the controls in place (based 
on that which was solicited from the user). Examiner notes that the claim recites "determining a 
detection index based on the number of responses and corresponding answers to each of the 
series of questions", but does not say how specifically the responses and answers are utilized in 
the determination. Examiner further notes that an index is merely a symbol or representation of 
detection and therefore a factor is an index in the broadest reasonable interpretation of the 
claims. See paragraphs 0013-14, 0060, 0081, and 0084. 

In response to argument (3), Applicant has attempted to challenge the Examiner's taking 
of OflBcial Notice. However, Applicant must seasonably traverse (challenge) the taking of 
Official Notice as soon as practicable, meaning the next response following an Office Action. If 



Application/Control Number: Page 1 1 

10/022,438 

Art Unit: 3623 

an applicant fails to seasonably traverse the Official Notice during examination, his right to 
challenge the Official Notice is waived. In this case, the official notice was first presented in the 
office action dated 1 1/02/06. Applicant filed a response on 03/02/2007, at which time applicant 
did not traverse Examiner's taking of official notice. A subsequent office action went out on 
5/23/07, and the applicant replied with the current response that challenges the official notice. 
Therefore, this challenge has not been seasonably presented. 

In response to argument (4), Examiner respectfully disagrees. Barton et al. does teach 
and suggest "determining an occurrence index based on the potential consequence of 
noncompliance", as explained above with respect to argument (1). Further, examiner maintains 
that it is old and well known in the art that employees and the number of policies are factors that 
cause occurrences of non-compliance, such as a regulation being violated by a policy or an 
employee not following a rule. Therefore, it would have been obvious to one of ordinary skill in 
the art at the time of the invention to consider employees affected by non-compliance and the 
total number of policies in force in the occurrence index when considering the potential 
consequence of non-compliance in Barton et al. in order to more efficiently determine the 
potential for failure concerning the business by taking into account the areas in which non- 
compliance events may occur. See paragraphs 0065 and 0084, which disclose such motivation. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Beth Van Doren whose telephone number is 571-272-6737. The 
examiner can normally be reached on M-F, 8:00-5:00. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

I 

supervisor, Tariq Hafiz can be reached on 571-272-6729. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for pubUshed applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



bvd 

November 05, 2007 




